Author Topic: Effective Ways to Tighten Your Server Security  (Read 2148 times)

Administrator

  • Administrator
  • Green Belt
  • ***
  • Posts: 225
  • Karma: +0/-0
Effective Ways to Tighten Your Server Security
« on: December 22, 2013, 08:24:00 AM »

“Prevention is better than cure” and server security engineers can really understand the importance of this quote with the recent security breaches of Dropbox, WHMCS, etc. With the growing technical advancements, it’s probably became impossible to keep your server protected from the hackers but with the below measures you can surely make it hard for a hacker to penetrate in your secured server zone.

Note : This article is for people who are already familiar with the basics of shared hosting security. This article is based on the inputs given by security engineers of top web hosting companies.

Here goes the server security measures:

1. Backups

Take the local & remote backups of VHDs in case you are maintaining virtual servers for your shared & reseller hosting services. With the VHDs backup, you can save your servers from a file system crash or hardware failure. Even if that happens, you can make the server up in a fraction of time with VHDs.

2. Default Port Customization

Customize the default ports & block all default ports and settings in server firewall. For example: Use different port in place of 3306 (for MYSQL) and 1433 (for MSSQL) to secure your database servers. Disable all default users for database administration and create another user with different name.

3. Ports

Close all unnecessary ports and open only relevant ports that are in use for a particular service.

4. Prepare Firewall Policy

Define rules – default rules to be implemented by your team on any kind of server; role based rules for a particular service & on demand rules. Make sure that your firewall policy is implanted by your team on all the servers before they make it live. It is mainly noted that the servers with disabled firewall get hacked more frequently. Install a firewall checker script on all servers that can check the status of firewall in every two minutes or so and enable it in case it is disabled.

5. Network Access Restriction

Restrict RDP, Remote Administration, WMI Scripts, SSH Ports, File Sharing on servers etc. access only from your company network

6. Be tricky

Customize the name of the default server administrator user & disable the guest account.

7. Keep A Track

Enable the user login logs and create the separate login accounts for different admins to access the servers. Create a SYS LOG server where you can store all logs of switches, routers and firewall logs. With SYS LOG server, you can trace any logs related to a particular event & can trace the root cause. Keep all of your web applications up to date. This includes any modules, components and addons you have added or integrated. Deploy a Host-based Intrusion Detection System (HIDS) (e.g. OSSEC) to help you detect when users are behaving bad. OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.

8. Software Policy

Make a software policy with a list of allowed software on servers. The policy should be implemented by restricting through McAfee firewall softwares which should automatically block any other software that tries to access the server.

9. Limited Access

Most of the websites get hacked because the user give the full access or read & write access on their wwwroot folders of their websites and assigned the “Network Service” permissions for their root folder; which serves as an invitation to a hacker to hack the website. Educate your clients about access or you can get ask your server audit team to check the access rights on a monthly basis.

10. Set Alerts

Prepare or buy server scripts that can send you an alert for any changes made in server or its components. You can set these scripts in configurations of main applications.

11. Forget abcd123

Pick up strong passwords for the main cPanel account, MySQL, FTP and mail users. Never use the same passwords for different users. For example a MySQL user should not have the same password as your cPanel user or an FTP user. It is essential that your cPanel user’s password should not be found in any file on your account through any means.

12. Above 755 – Keep them out

Avoid having directories with permissions above 755. If your applications require such directories, try to put them outside your webroot (public_html) or place a .htaccess file in them containing “deny from all” to restrict public access to these files.

13. PHP settings

Tweak your local PHP settings for better security. This can be done by disabling unnecessary functions and options. Here are some sample recommended directives:
allow_url_fopen=off

disable_functions = proc_open , popen, disk_free_space, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru

Note that the above directives can cripple your code’s functionality. They have to be pasted in a php.ini file in each directory you’d like to have them applied.

 Deny perl and other bots from accessing your site. This can be easily done with the following rules in your .htaccess:
SetEnvIfNoCase User-Agent libwww-perl bad_bots

order deny,allow

deny from env=bad_bots

 If you are not using Perl scripts, add a bogus handler for these files. In your home directory create a .htaccess file with the following content:
##Deny access to all CGI, Perl, Python and text files

<FilesMatch “\.(cgi|pl|py|txt)”>

Deny from all

</FilesMatch>

##If you are using a robots.txt file, please remove the

# sign from the following 3 lines to allow access only to the robots.txt file:

#<FilesMatch robots.txt>

#Allow from all

#</FilesMatch>

The above will prevent Perl scripts to be executed. Many exploits/backdoors are written in Perl and the above handler will prevent them from running. This directive will get applied to all your subdirectories.

 Filter possible intrusions with Apache’s Mod Security. Mod Security is an Application firewall integrated with Apache.
14. Auto IP Blocking Script

Make a script that can block the IPs in Firewall if they found any irregular events or high frequency of attempts.

15. Over & above Application Level

In addition to application level security, the permissions of programs (cgi, php, etc.) executed by the web server is an issue. If they run with the permissions of the web server then a malicious user can access the files provided by other users. In order to handle this, we should implement configuration files with database credentials. If those programs run with the permission of the individual users, they may modify program files themselves. This might make it easier to exploit security issues in the applications, for example a .php script might not properly validate file names when it saves files. And the users need write permissions in the web directory, so the php program has write permissions there, too.

In addition to these measures, keep security patches updated and your server secure from malware, viruses, etc. with antivirus. The ways to secure a server is exhaustive & we have tried to list all the important measures you should implement for securing your servers.